In our review of OS X Server, we found that Mountain Lion has a lot to offer home users or Mac-centric small businesses. Enterprise-level features, however, have fallen by the wayside. Luckily, some great first- and third-party tools exist to help close the gap between Apple's server product and more robust enterprise management systems from the likes of Microsoft and Dell.

Some of the products are free open-source programs, and some are strong, for-pay products intended for use with hundreds if not thousands of Macs. Whatever your needs are, this list of applications should point you in the right direction if you're looking to extend OS X Server's capabilities.

Apple Remote Desktop

Sending a Software Update UNIX command with Apple Remote Desktop.

One of OS X Server's most glaring blind spots relative to Windows Server and Active Directory is software management. There's no way to install third-party applications on Macs that are already out in the field. And if you use a program like DeployStudio to install applications when you set up your Mac, it isn't much help to you once the Mac is off your desk and out in the field.

Apple Remote Desktop, available from the Mac App Store for $79.99, helps to alleviate these problems. In addition to being able to install programs that come in .pkg, .mpkg, and .app files, it will also let you view and control users' screens, view information and generate reports about hardware and software, and perform UNIX commands. With those UNIX commands, you can force computers to install available updates, change passwords, and do just about anything you can do from the Terminal.

If you've got laptops that travel or other computers that aren't always online, you can also make sure that all of your Macs receive your applications and updates using Apple Remote Desktop's Task Server feature. All you have to do is install Apple Remote Desktop on two computers—one, which can be the Mac that you use from day-to-day, can be used to issue commands to the second, which should be a computer that is always connected to your network (your OS X Server, for example). If you send a command to your Task Server, it will continuously send that command out to all computers once they're available on the network, and you can easily keep track of which computers have and haven't yet received new applications and updates.

Apple Remote Desktop does come with caveats: there's not an automated way to keep your list of Macs up to date across multiple computers. Trying to scan for Macs on your network is useless if the machines are shut down or asleep. The software itself has seen only incremental updates since version 3.0 was released in 2006. For $79.99, it's a pretty solid management tool, but you will have trouble scaling it beyond a few hundred computers.

Cauliflower Vest: Centralized FileVault management

By default, FileVault keys can only be saved manually or stored with Apple, not on a local server.

FileVault 2, introduced in Lion, is a capable full-volume encryption solution, but it lacks important features for businesses and enterprises. There's no way to mandate that all Macs be encrypted, there's no way to confirm at any given moment that a lost or stolen Mac is still encrypted, and there's no way to store the decryption keys locally so that administrators can unlock drives in the event of an emergency.

Enter Cauliflower Vest, an open source project intended to bring enterprise-level features to FileVault 2. Administrators can use either a GUI or a command-line tool to initiate FileVault encryption on client computers, which send their FileVault keys to a Google App Engine-hosted server for use by administrators when they need to unlock drives to access or recover files. The KeyCzar package is used to encrypt the keys to keep them safe (though as the documentation notes you'll want to carefully control who can access and administer your App Engine instance).

The software requires a little bit of time to set up—you'll have to download the source code, build and test it with Xcode, and configure the App Engine backend before you can use it, but the documentation provided in the project's wiki is pretty extensive. If you've got additional questions, the software's developers also hold "office hours" every other Monday for two hours to help people out.

DeployStudio: Powerful and customizable OS X image deployment

Building DeployStudio workflows can completely eliminate the need for manual configuration of computers.

We've already discussed DeployStudio's capabilities and installation process at some length, but it belongs on any list of valuable OS X Server add-ons. While OS X Server's built-in System Image Utility allows for the creation and customization of simple OS X images, the free but ad-supported DeployStudio gives you the power to install custom applications, bind computers to Active Directory and Open Directory, enable firmware passwords, capture and deploy Windows and Linux images for dual- or triple-boot setups, create user accounts, run scripts, and more.

All of this is done using customizable workflows which allow you to mix and match images, applications, scripts, and other settings to create customized software deployments for various computers without actually having to create multiple images. DeployStudio has other benefits for the larger business as well: you can create replica servers for purposes of load balancing and redundancy, and associate particular Macs with particular workflows to automate the imaging process for Macs that are reloaded frequently (think laptop loaner pools or Macs in computer labs).

DeployStudio can be run from an external USB drive, but if you use it in tandem with the NetInstall service, you can boot, image, and deploy customized Macs throughout your organization without ever handling OS install discs or external drives. DeployStudio's documentation and forums are both good resources for more information, though our article will also walk you through basic setup and workflow creation.

Reposado: More flexible software updating

Apple's Software Update service allows you to host software updates on a local server, reducing Internet bandwidth used and letting you to hold back updates from your users for testing. It isn't as flexible as something like the Windows Software Update Services (WSUS), though—for one, it's an all-or-nothing deal. Either all of your Macs connected to that server get all of the updates that are available, or none of them do. That's where something like Reposado can be helpful.

To illustrate how Reposado works, let's go over how Software Update works in OS X: when your Mac checks for updates from Apple, it downloads and looks at a giant XML file that lists all of the available updates. This XML file is called a Software Update catalog, and appropriately uses a .sucatalog extension.

Enlarge/ A snippet of the giant XML file that lists all Apple software updates.

What Reposado allows you to do is create and host multiple .sucatalog files on a single server. You could, for example, create one "testing" update catalog that gets new updates more quickly than the standard catalog, or create different update lists for different groups of Macs. Using Profile Manager or Workgroup Manager, you can easily point different groups of computers to these different .sucatalog files. Reposado can also be used to offer just the update catalogs but not the updates themselves, in the event that you want to control what your Macs download from Apple's servers but don't want to host the packages yourself.

While Reposado can be hosted on an OS X Server, its only real dependencies are Python, the curl tool, and a Web server. Apache, the Web server that comes with OS X Server, is supported, but any server software can be used. The upshot of this is that you can use Reposado to host a local Software Update server not just on OS X, but also on Windows and Linux servers.

The Casper Suite

All of the tools we've discussed so far have been either free or relatively low-cost, but that's not necessarily true of JAMF Software's Casper Suite. It's an enterprise-level product with an enterprise-level price tag, one that varies based on how many devices you need to cover, whether those devices are running OS X or iOS, and whether you're an educational institution. Like many enterprise software packages, there's an up-front charge for using the software, and after that a yearly support and maintenance renewal fee. A JAMF representative wouldn't give us more specific information on pricing, but did say that it was "priced quite competitively" with comparable products, which means that a five-figure price tag will be pretty common depending on how many computers you're trying to manage.

Enlarge/ The Casper Suite's architecture. The JAMF Software Server, which can run on most popular server platforms, controls the rest of the pieces.

The extra cash outlay will get you many extra features, though: the Casper suite can do just about everything we've outlined above and then some. It can manage Apple and third-party software installation and updates, as well as FileVault and other third-party encryption software. It can also create and deploy images, and it gives you the ability to view and control the screens of remote computers. Users can even go to a self-service portal to get their own applications.

All of this is run through the JAMF Software Server (JSS), the central utility that controls the inventory management, imaging, and software package creation pieces of the suite. Like Reposado, the JAMF Software Server will run on an OS X Server, but it doesn't require one—it can run on Windows Server, Ubuntu, and Red Hat Enterprise Linux as well. This is the software for the enterprise that wants to manage Macs, but doesn't want to deal with Apple's lack of true server hardware.

Conclusions

Depending on what you need and how large your business is, these add-ons should help you turn a Mountain Lion Server into something that can do more for your organization than the off-the-virtual-shelf software is capable of. Some of them take some work to configure, but they can be used to meet needs that Apple won't. The list of available add-ons for Mountain Lion will only get better once the software has been out for longer than two weeks. If you've got your own tools that you use to extend OS X Server's functionality, be sure to let us know about them.

Promoted Comments

I think there was an important omission in the article with regard to Casper Suite. As part of the initial purchase, Jamf Software requires a 2-day "training session" where they send someone to install/set up your JSS and conduct initial training. They charge several thousand dollars for this and it is not optional. For a neophyte, this is probably wise. But for experienced sysadmins, it's pretty ridiculous. But whatever your opinion on the required "server training", it's worth noting that it substantially increases the amount of the initial investment.

I'm currently administering a FileWave based deployment system .. but only until where i'm working finishes their Casper implementation project. I can honestly say that FileWave has caused me more pain than it really should have.

Another opensource tool my company is currently evaluating it munki, https://code.google.com/p/munki/, to manage software installs. Most of our service requests for Apple products are for software installs and this would allow us to push software to people who want a particular piece installed.

When needing to manage a large group of OS X or iOS computers/devices, Casper has to be at the top of your list. If you're claiming to be an enterprise environment, then Casper is required. "It just works" sums up Casper well. When you're in an enterprise environment, you don't have time to be looking for solutions on a forum, or hoping someone else is dealing with the same thing. It's the way to go.

All of the open source projects mentioned are good, but if you are in charge of a medium to large IT shop, you don't have time for 'free' in many cases.

I'm going to second Puppet and Munki above. Once set up, to put a new machine into place we just need to turn it on and install puppet (which could also be pushed out to multiple machines with ARD). Puppet sets the machine up with all the settings we need, and installs Munki, which takes care of all our software installs.

We do have DeployStudio installed, which uses a vanilla OS X image with puppet installed.

Puppet is really amazing for keeping your machines set up the way you want.

I have not seen it in person, but I have read of shops that store Managed Preferences in LDAP. you can use some existing apple software to make any changes that apply to a computer, a group, or a user.

Deployed 500 laptops 3 years ago, and the one big miss is definitely Casper Suite, Looked into it, and am definitely getting it next refresh.

I do currently use both Apple Remote Desktop & Deploy Studio, both which are pretty sweet. Deploy Studio especially: Easy imaging and free.

--Any suggestions for a GUI for the missing dhcp server?--

We're running 10.6 servers, but there is a GUI DHCP server interface under Server Admin....

--I have not seen it in person, but I have read of shops that store Managed Preferences in LDAP. you can use some existing apple software to make any changes that apply to a computer, a group, or a user.--

That's commonly referred to as the "Golden Triangle." In essence, you bind your Mac Server to both Open Directory (itself) and your LDAP server, and then created deprecated records based off LDAP records on the OD server. Now when your Apples talk to the OD server, they'll really communicate with the LDAP server. Obviously it's more complicated than that, but I'm not a huge fan. After fidgeting around with the setup for a while, I found it easier to just manage my Apples through OD (though we're a 95% Apple shop).

They showed SCCM SP1 at teched this year, and it had a Mac client. We still haven't deployed 2012 yet, but from the looks of it you'll be able to push software and run reports against your Macs. It's not as full featured as JAMF, but if you have few macs and are already invested in SCCM this seems like a possible avenue as well.

Munki http://code.google.com/p/munki/ definitely belongs on this list, it's a locally-managed Software Update, except it can also update, install and remove 3. party software. We use it at my university, and it's one of those it-just-works no-brainer solutions.

I don't know why I expected to find new Apple tools or features that were included with OS X Mountain Lion server based on the title (I guess I read "filling in the gaps" to mean something along the lines of "stuff we haven't covered yet."

I'm cool with third parties creating anything that helps with Mac administratation but I retain the impression that Apple doesn't have a lot invested in assisting the enterprise admin.

Do I understand correctly that Apple Remote Desktop costs more than Mountain Lion? Sheesh.

We've been running Apple Remote Desktop, Deploy Studio and FileWave for 3+ years, it helped tremendously to deploy a consistent and secure new OS (at the time 10.5) and keep all Macs updated on 8 sites.

Casper may have a better overall OSX - iOS integration, but we won't manage iOS directly : support and deployment is handled by another team, they will provide their own solution.

Thinking I'm handing over my encryption keys to Google ... it will never happen. Are they stupid?

"send their FileVault keys to a Google App Engine-hosted server for use by administrators when they need to unlock drives to access or recover files. The KeyCzar package is used to encrypt the keys to keep them safe (though as the documentation notes you'll want to carefully control who can access and administer your App Engine instance)."

I think there was an important omission in the article with regard to Casper Suite. As part of the initial purchase, Jamf Software requires a 2-day "training session" where they send someone to install/set up your JSS and conduct initial training. They charge several thousand dollars for this and it is not optional. For a neophyte, this is probably wise. But for experienced sysadmins, it's pretty ridiculous. But whatever your opinion on the required "server training", it's worth noting that it substantially increases the amount of the initial investment.

If you really insist on running OSX server in an enterprise environment, then this article should have included an entire section on how to build a Hackintosh in order to get the hardware configuration that a server should actually have. Otherwise, as beebee and many others have suggested, "Just run a linux server like the rest of the world."

If you really insist on running OSX server in an enterprise environment, then this article should have included an entire section on how to build a Hackintosh in order to get the hardware configuration that a server should actually have. Otherwise, as beebee and many others have suggested, "Just run a linux server like the rest of the world."

I am not so sure that running server software contrary to the wishes of the software vendor and in an unsupported manner is such a great idea. Theoretically, MacOS being a Unix should mean that it can integrate quite nicely with ANY Unix server you care to deploy. The solutions for the two platforms should not be mutually exclusive. That kind of defeats much of the point of being a Unix.

I think there was an important omission in the article with regard to Casper Suite. As part of the initial purchase, Jamf Software requires a 2-day "training session" where they send someone to install/set up your JSS and conduct initial training. They charge several thousand dollars for this and it is not optional. For a neophyte, this is probably wise. But for experienced sysadmins, it's pretty ridiculous. But whatever your opinion on the required "server training", it's worth noting that it substantially increases the amount of the initial investment.

It's not ridiculous. It lowers the potential support costs for Jamf and potential costs of major booboos for the client in the long run. Just because you're an experienced sysadmin it doesn't mean you will easily figure Casper out for yourself.

If you really insist on running OSX server in an enterprise environment, then this article should have included an entire section on how to build a Hackintosh in order to get the hardware configuration that a server should actually have. Otherwise, as beebee and many others have suggested, "Just run a linux server like the rest of the world."

I think that OSX is pretty much dead for enterprise with the Xserves discontinued. No sane admin will want to run OSX on an unsupported hardware. My institution is looking into moving our OSX infrastructure (NetBoot, JSS, Software Update mainly) onto Linux or Windows because of this. Nobody wants to run OSX server on a hackintosh for mission critical applications.

I think there was an important omission in the article with regard to Casper Suite. As part of the initial purchase, Jamf Software requires a 2-day "training session" where they send someone to install/set up your JSS and conduct initial training. They charge several thousand dollars for this and it is not optional. For a neophyte, this is probably wise. But for experienced sysadmins, it's pretty ridiculous. But whatever your opinion on the required "server training", it's worth noting that it substantially increases the amount of the initial investment.

I disagree that its pretty ridiculous. It may be a bit more expensive than necessary, but the training is very valuable. The depth and breadth of Casper is so large that its easy to miss something or not use it fully. Its more than just installing the suite- they cover how to properly setup and use just about everything it is capable of. Just being an experienced SysAdmin doesn't mean one can use it right.

Its an expensive product, no doubt. But in my opinion for every 1000 computers it manages, it reduces the need for another tech. And it does that at a third the cost.

If you really insist on running OSX server in an enterprise environment, then this article should have included an entire section on how to build a Hackintosh in order to get the hardware configuration that a server should actually have. Otherwise, as beebee and many others have suggested, "Just run a linux server like the rest of the world."

I think that OSX is pretty much dead for enterprise with the Xserves discontinued. No sane admin will want to run OSX on an unsupported hardware. My institution is looking into moving our OSX infrastructure (NetBoot, JSS, Software Update mainly) onto Linux or Windows because of this. Nobody wants to run OSX server on a hackintosh for mission critical applications.

This. We were a growing company that could fit into the OSX scope of just fitting into a Mac mini server setup but for future proofing we schedule xserve on our budget. The next week Apple announced xserve would not be continued. Since we were 10/90% windows/mac we chose to fully support our windows clients instead and if need be setup linux to support OSX. We only have 2 linux vms running now for package management and 1 mac mini as our profile manager but we are thinking about replacing it with casper suite instead since Apple is not enterprise.

I disagree that its pretty ridiculous. It may be a bit more expensive than necessary, but the training is very valuable. The depth and breadth of Casper is so large that its easy to miss something or not use it fully. Its more than just installing the suite- they cover how to properly setup and use just about everything it is capable of. Just being an experienced SysAdmin doesn't mean one can use it right.

Its an expensive product, no doubt. But in my opinion for every 1000 computers it manages, it reduces the need for another tech. And it does that at a third the cost.

I highly, highly recommend it for any business or school.

I think it depends on how/where you intend to use CSS. For an academic institution or standalone business, the pricing is still on the high side (when compared to Windows equivalents), but much easier to take when amortized over say 3 years. For 50 machines, the last pricing I got broke down to about $5.50 per Mac per month over 3 years. Addidional machines dropped the per month cost a bit.

But for a service provider, who has to support various clients in various locations - and - recover the costs on an ongoing basis, the cost of Casper Suite becomes hard to justify. And this is primarily because of the cost of the "jumpstart" - $4800 according to the last quote I got from Jamf. The problem for service providers isn't so much the $5.50/Mac/month for the first 3 years. The problem is that for the first 50 machines, you're required to spend just a hair under $10,000 on Day 1. And if you do the math, nearly half of that is tied up in the 2-day 'jumpstart'. The opportunity cost of that money is REALLY high.

I think it's definitely good that the "jumpstart" is offered, but ridiculous that it's mandatory. Your points about its benefits are well taken, but again, not with the high opportunity costs given current pricing. As for the other poster who mentioned Jamf wanting to lower their support costs and avoid potential booboos for the client. . .that's the party line from Jamf on why it's mandatoy, and I'm not buying it. If those were real concerns, Jamf could simply adjust their maintenance and per-incident support fees to account for that. Or if they insisted on my getting hands-on training, why not let me find my own Certified Casper Administrator to provide the training at a price agreed upon privately? Or. . .why not waive the requirement for anyone attending their Casper Suite Essentials course? But if those are their real aims, there are certainly ways to achieve them that are more cost effective for their customers.

It's not Jamf's product that has me really looking at Absolute Manage, it's their pricing model for support providers like me.

If you really insist on running OSX server in an enterprise environment, then this article should have included an entire section on how to build a Hackintosh in order to get the hardware configuration that a server should actually have. Otherwise, as beebee and many others have suggested, "Just run a linux server like the rest of the world."

I think that OSX is pretty much dead for enterprise with the Xserves discontinued. No sane admin will want to run OSX on an unsupported hardware. My institution is looking into moving our OSX infrastructure (NetBoot, JSS, Software Update mainly) onto Linux or Windows because of this. Nobody wants to run OSX server on a hackintosh for mission critical applications.

Good - you get my point even if you missed the sarcasm. Which is dumber - Running an enterprise server on the wrong hardware or running a purposely limited OS on unsupported hardware? I suppose it would depend on what flavor of problems and support (or lack thereof) you would prefer.

In any event its time for Apple to throw in the towel on servers, and with the Xserve being discontinued I kinda thought they'd already done that. I know the pro-Apple bias runs deep here (all the way to the top), but come on. "Great enterprise focused add-ons for OS X Server" implies that OS X Server has a place in the enterprise running on non-server hardware. The add-ons themselves may be great, but its kind of like these idiots that put big-hole mufflers on Honda Civics: It may make it sound like and maybe even look more like a high performance sports car but at the end of the day its still a low horsepower 4 cylinder engine under the hood that was designed for good gas mileage rather than high performance. In either case there aren't enough add-ons in the world to turn either one into something they're not.

One other thought: Isn't Mountain Lion still a dot oh release that's still being publicly debugged for issues like battery life in MacBooks? Notebooks are Apple's biggest Mac market and if they didn't even get it completely debugged for that do you really believe its been torture-tested in a server environment? And you're actually suggesting someone use it as a server (on non-server hardware no less)?

It's pretty clear that Apple is a consumer electronics company and doesn't care much about the server market. I think this is evident even in their internal culture.

In any case, for organizations that aren't at the size to afford something like Casper, or where it just doesn't make sense for you to handle your own IT, there's services such as Robot Cloud <http://robotcloud.net>.

Full disclosure: My company, 55 Minutes, is the maker of Device Scout <http://devicescout.com>, which is a dashboard that sits on top of JAMF Casper Suite.

It's pretty clear that Apple is a consumer electronics company and doesn't care much about the server market. I think this is evident even in their internal culture.

In any case, for organizations that aren't at the size to afford something like Casper, or where it just doesn't make sense for you to handle your own IT, there's services such as Robot Cloud <http://robotcloud.net>.

Full disclosure: My company, 55 Minutes, is the maker of Device Scout <http://devicescout.com>, which is a dashboard that sits on top of JAMF Casper Suite.

Minty> In the spring, I spoke at some length to Ben about Robot Cloud and whether it would be a good fit for an MSP to leverage his offering. He was very honest about the fact that for providers or institutions with ~50+ machines under management Robot Cloud probably doesn't make finnancial sense. His monthly rate is high, but is understandable considering what his costs are for CSS, Device Scout, and his infrastructure & expertise. But. . .compared to Windows-based RMM options (Labtech, Kaseya, etc), Casper Suite - and by extension, Robot Cloud - is really expensive.

That said, when I was talking to Ben about Robot Cloud I took a peek at Device Scout and I must say it looks awesome. If it didn't require Casper Suite, I would probably be using Device Scout for monitoring my clients' machines.

I will say that my experience with JAMF Software has been outstanding to date (over a year's experience). I'm only managing the iOS side of things at the moment, but want to get my Macs added to the system. The cost quoted to me for the initial on-site visit wasn't prohibitive at all, especially when you consider that you get the experts on-site for two days, training and a complete turn-key system when they leave. There licensing per seat is cheaper by far (Educational) than any other package we looked at too.

I will also say that their support staff is one of the best I've dealt with. Their company is sleek enough to get personal service. I've submitted feature requests and received replies back from the engineers the same day stating the request will be implemented in their next update. I've never had to wait more than an hour (often times less than 10 minutes) for a response from my tech support guy when I have an issue too.

I'm not sure what their pricing is for non-Educational environments is. But if you are in a school district, it is well worth it to go with them for your MDM and/or computer management.

I see people already mentioned Puppet and Munki, so all I'll add is that JAMF just updated the Casper Suite to add the ability to manage Filevault 2 keys and configurations, so if you've got Casper, you don't need Cauliflower Vest anymore.Thankfully, that was the difference in persuading my organization to use filevault for our disk encryption.

My summary of the mac management world boils down to money- if you don't have a budget, get deploy studio, munki, and puppet set up. If you've got a decent budget, just buy Casper.

Andrew Cunningham / Andrew has a B.A. in Classics from Kenyon College and has over five years of experience in IT. His work has appeared on Charge Shot!!! and AnandTech, and he records a weekly book podcast called Overdue.